DNS-based captive portal with integrated transparent proxy to protect against user device caching incorrect IP address

ABSTRACT

A captive portal system includes a login database, a web server, and a name server. The name server receives a DNS request from a user device, queries the login database to determine whether the user device is logged in, and responds to the DNS request with the IP address of the web server as a resolved IP address of the specified domain name when the user device is not logged in. The web server accepts a connection request from the user device to the IP address of the web server, receives an HTTP request specifying a non-local target URL from the user device, queries the login database to determine whether the user device is logged in according to the source address of the user device, and acts as a transparent proxy between the user device and the non-local target URL when the user device is logged in.

CROSS-REFERENCE TO RELATED APPLICATIONS

This application is a continuation of U.S. patent application Ser. No.15/667,763 filed Aug. 3, 2017, which is a continuation of U.S. patentapplication Ser. No. 14/279,008 filed May 15, 2014, which claims thebenefit of priority of U.S. Provisional Patent Application No.61/824,246 filed May 16, 2013. Each of these applications areincorporated herein by reference.

BACKGROUND OF THE INVENTION (1) Field of the Invention

The invention pertains generally to captive portals. More specifically,the invention relates to a DNS-based captive portal with integratedtransparent proxy to protect against a user's device caching anincorrect IP address.

(2) Description of the Related Art

The term “captive portal” generally refers to any technique thatautomatically forces a client device running a web browser to display aspecially designated web page before being permitted to access a networksuch as the Internet in a normal manner.

Captive portals are often utilized in situations where it is required toforce new users to view a login portal. For example, before allowing aguest in a hotel to surf the Internet, the guest may be required to login at the hotel's login portal for billing and/or authenticationpurposes. Although it is possible to simply instruct users to manuallynavigate to a special Uniform Resource Locator (URL) or InternetProtocol (IP) address such as by placing instructional cards orbrochures near network connection ports in the hotel room, a typicalhotel guest would not read these instructions and instead expect theprocess to be fully automatic. A more user-friendly design presents theuser with the login portal regardless of what web site the user mayfirst try to load.

A known type of captive portal involves a domain name system (DNS)server resolving all domain names for unlogged in user devices to the IPaddress of a login portal. Essentially, the captive portal is performingDNS poisoning so that domain name requests from unlogged users arealways resolved to the IP address of the hotel's login portal instead ofthe proper IP address of the requested website on the Internet. Afterthe user device has logged in, the DNS server will begin to properlyresolve domain name requests from the user device to their correct IPaddresses using standard DNS techniques.

A first problem with a DNS-based captive portal is it will only work ifthe user initially attempts to browse to a URL with a domain nameaddress and will not work if the user attempts to connect to a URL witha specific IP address. For example, if a non-logged in user at a hotelattempts to browse a web site such as “http://5.6.7.1/index.html”,unless the specified IP address matches that of the hotel's loginportal, the user will not see the login portal. There is no way via theDNS protocol to cause the browser on the user's computer to display thelogin portal if the user device does not attempt to perform a domainname lookup.

A second problem with deliberately performing DNS poisoning for unloggedin user devices is that the user devices may cache the IP address of thelogin portal even after they are logged in. For example, if anunauthorized user device attempts to browse the web site “example.com”,the DNS server will provide the IP address of the login portal, forexample, 192.168.1.1 because the user device is not yet logged in. Aftersuccessfully logging in, when the user again attempts to browse theexternal web site at “example.com”, the user's device may directlyattempt to connect to 192.168.1.1 without performing a new DNS querybecause the user device has cached this incorrect IP for the domain name“example.com”.

A known solution to this problem involves configuring the DNS server ofthe captive portal to provide a low time-to-live (TTL) such as zeroseconds when resolving domain names to the IP address of the loginportal for unauthorized user devices. The TTL informs the user device ofthe time duration for which the provided IP address will be valid. Oncethe time duration specified by the TTL for a particular domain nameexpires, the user device should re-perform a DNS lookup for the nextoperation requiring the IP address of that particular domain name.

In theory, setting the TTL to zero seconds should completely prevent theuser device from caching an incorrect IP address. However, in practice,there is no guarantee the user device will respect the TTL. Even if theunderlying operating system on the user device does respect the TTL fora DNS-provided IP address, some applications running on the user'scomputer may keep their own cached IP addresses and not respect the TTL.For example, a web browser on the user device may cache mappings ofdomain names to IP addresses to avoid making repeated internal requeststo the operating system running on the user device. Such caching actionby the browser increases the speed at which websites render; however, itcauses problems in a DNS-based captive portal because the browser maycontinue to connect with the IP address of the login portal for URLsinvolving domain names that were requested prior to successful login. Inother words, for URLs requested prior to successful login, the browserwill continue to display to the login portal even after the user hassuccessfully logged in. To solve this problem, a user needs to either 1)wait some period of time until the browser automatically clears itsinternal cache of DNS-provided IP addresses, or 2) close and restart thebrowser, which will generally startup in a fresh state without anycached IP addresses.

BRIEF SUMMARY OF THE INVENTION

According to an exemplary embodiment of the invention there is discloseda captive portal system for controlling access from user devices to anexternal network. The captive portal system includes a storage devicestoring a login database, the login database specifying source addressesof user devices that are currently logged in, a web server coupled tothe storage device and a computer network, and configured with an IPaddress accessible on the computer network, and a name server coupled tothe storage device and the computer network, for resolving domain namesto IP addresses. The name server is configured to receive a DNS requestfrom a user device to resolve a target domain name, query the logindatabase to determine whether the user device is logged in according toa source address of the user device, respond to the DNS request with theIP address of the web server as a resolved IP address of the targetdomain name when the user device is not logged in, and respond to theDNS request with a correct IP address of the target domain name when theuser device is logged in. The web server is configured to accept aconnection request from the user device to the IP address of the webserver, receive an HTTP request specifying a non-local target URL fromthe user device over the connection, wherein the non-local target URL isnot a URL provided by the web server, query the login database todetermine whether the user device is logged in according to the sourceaddress of the user device, respond to the HTTP request by acting as atransparent proxy between the user device and the non-local target URLto thereby allow the user device to receive the content of the non-localtarget URL when the user device is logged in, and respond to the HTTPrequest with alternate content different than that provided at thenon-local target URL when the user device is not logged in.

According to another exemplary embodiment of the invention there isdisclosed a method of controlling access from user devices to anexternal network. The method includes tracking in a login databasesource addresses of user devices that are currently logged in;receiving, by a name server, a DNS request from a user device to resolvea target domain name; and querying, by the name server, the logindatabase to determine whether the user device is logged in according toa source address of the user device. The method further includesresponding, by the name server, to the DNS request with the IP addressof a web server accessible to the user device from within the captiveportal as a resolved IP address of the target domain name when the userdevice is not logged in; responding, by the name server, to the DNSrequest with a correct IP address of the target domain name when theuser device is logged in; and accepting, by the web server accessible tothe user device from within the captive portal, a connection requestfrom the user device to the IP address of the web server. The methodfurther includes receiving, by the web server, an HTTP requestspecifying a non-local target URL from the user device over theconnection, wherein the non-local target URL is not a URL provided bythe web server; querying, by the web server, the login database todetermine whether the user device is logged in according to the sourceaddress of the user device; responding, by the web server, to the HTTPrequest by acting as a transparent proxy between the user device and thenon-local target URL to thereby allow the user device to receive thecontent of the non-local target URL when the user device is logged in;and responding, by the web server, to the HTTP request with alternatecontent different than that provided at the non-local target URL whenthe user device is not logged in.

According to yet another exemplary embodiment of the invention there isdisclosed a non-transitory computer-readable medium comprising computerexecutable instructions that when executed by one or more computerscause the one or more computers to perform the above method ofcontrolling access from user devices to an external network.

According to yet another exemplary embodiment of the invention there isdisclosed a captive portal system for controlling access from userdevices to an external network. The captive portal system includes meansfor tracking source addresses of user devices that are currently loggedin; means for receiving a DNS request from a user device to resolve atarget domain name; means for querying the login database to determinewhether the user device is logged in according to a source address ofthe user device; and means for responding to the DNS request with the IPaddress of a web server accessible to the user device from within thecaptive portal as a resolved IP address of the target domain name whenthe user device is not logged in. The captive portal system furtherincludes means for responding to the DNS request with a correct IPaddress of the target domain name when the user device is logged in;means for accepting a connection request from the user device to the IPaddress of the web server; means for receiving an HTTP requestspecifying a non-local target URL from the user device over theconnection, wherein the non-local target URL is not a URL provided bythe web server; and means for querying the login database to determinewhether the user device is logged in according to the source address ofthe user device. The captive portal system further includes means forresponding to the HTTP request by acting as a transparent proxy betweenthe user device and the non-local target URL to thereby allow the userdevice to receive the content of the non-local target URL when the userdevice is logged in; and means for responding to the HTTP request withalternate content different than that provided at the non-local targetURL when the user device is not logged in.

According to yet another exemplary embodiment of the invention there isdisclosed a server in a captive portal system. The server includes afirst network interface coupled to a local computer network, a secondnetwork interface coupled to an external computer network, and one ormore processors. The one or more processors are configured to receive aDNS request from a user device on the local computer network to resolvea target domain name on the external computer network, query a logindatabase to determine whether the user device is logged in at a time ofthe DNS request according to a source address of the user device, andrespond to the DNS request with the IP address of the server as aresolved IP address of the target domain name when the user device isnot logged in at the time of the DNS request. The one or more processorsare further configured to respond to the DNS request with a correct IPaddress of the target domain name when the user device is logged in atthe time of the DNS request, and accept a connection request from theuser device on the local computer network to the IP address of the webserver, the connection request coming sometime after the DNS request.The one or more processors are further configured to receive an HTTPrequest specifying a non-local target URL from the user device over theconnection, wherein the non-local target URL is not a URL provided bythe web server; query a login database to determine whether the userdevice is logged in at a time of the HTTP request according to thesource address of the user device; and respond to the HTTP request byacting as a transparent proxy between the user device and the non-localtarget URL to thereby allow the user device to receive the content ofthe non-local target URL when the user device is logged in at the timeof the HTTP request. The one or more processors are further configuredto respond to the HTTP request with alternate content different thanthat provided at the non-local target URL when the user device is notlogged in at the time of the HTTP request.

According to yet another exemplary embodiment of the invention there isdisclosed a web server in a captive portal system. The web serverincludes a network interface coupled to a computer network and one ormore processors configured to accept a connection request from the userdevice to the IP address of the web server; receive an HTTP requestspecifying a non-local target URL from the user device over theconnection, wherein the non-local target URL is not a URL provided bythe web server; query a login database to determine whether the userdevice is logged in according to the source address of the user device;respond to the HTTP request by acting as a transparent proxy between theuser device and the non-local target URL to thereby allow the userdevice to receive the content of the non-local target URL when the userdevice is logged in; and respond to the HTTP request with alternatecontent different than that provided at the non-local target URL whenthe user device is not logged in.

According to yet another exemplary embodiment of the invention there isdisclosed a method performed by a web server. The method includesaccepting a connection request from a user device to an IP address ofthe web server; receiving an HTTP request specifying a non-local targetURL from the user device over the connection, wherein the non-localtarget URL is not a URL provided by the web server; querying a logindatabase to determine whether the user device is logged in according tothe source address of the user device; responding to the HTTP request byacting as a transparent proxy between the user device and the non-localtarget URL to thereby allow the user device to receive the content ofthe non-local target URL when the user device is logged in; andresponding to the HTTP request with alternate content different thanthat provided at the non-local target URL when the user device is notlogged in.

According to yet another exemplary embodiment of the invention there isdisclosed a non-transitory computer-readable medium comprising computerexecutable instructions that when executed by a computer cause thecomputer to perform the above method of the web server.

According to yet another exemplary embodiment of the invention there isdisclosed a web server in a captive portal system. The web serverincludes means for accepting a connection request from a user device toan IP address of the web server; means for receiving an HTTP requestspecifying a non-local target URL from the user device over theconnection, wherein the non-local target URL is not a URL provided bythe web server; means for querying a login database to determine whetherthe user device is logged in according to the source address of the userdevice; means for responding to the HTTP request by acting as atransparent proxy between the user device and the non-local target URLto thereby allow the user device to receive the content of the non-localtarget URL when the user device is logged in; and means for respondingto the HTTP request with alternate content different than that providedat the non-local target URL when the user device is not logged in.

According to yet another exemplary embodiment of the invention there isdisclosed a name server in a captive portal system. The name serverincludes a network interface coupled to a computer network and one ormore processors configured to receive a DNS request from a user deviceto resolve a target domain name; query the login database to determinewhether the user device is logged in according to a source address ofthe user device and respond to the DNS request with a correct IP addressof the target domain name when the user device is logged in; checkwhether the target domain name is a cleared site and respond to the DNSrequest with the correct IP address of the target domain name when thetarget domain name is a cleared site; and respond to the DNS requestwith the IP address of a web server accessible to non-logged in userdevices from within the captive portal as a resolved IP address of thetarget domain name when the target domain name is not a cleared site andthe user device is not logged in.

According to yet another exemplary embodiment of the invention there isdisclosed a method performed by a name server in a captive portalsystem. The method includes receiving a DNS request from a user deviceto resolve a target domain name; receiving a DNS request from a userdevice to resolve a target domain name; querying the login database todetermine whether the user device is logged in according to a sourceaddress of the user device and responding to the DNS request with acorrect IP address of the target domain name when the user device islogged in; checking whether the target domain name is a cleared site andresponding to the DNS request with the correct IP address of the targetdomain name when the target domain name is a cleared site; andresponding to the DNS request with the IP address of a web serveraccessible to non-logged in user devices from within the captive portalas a resolved IP address of the target domain name when the targetdomain name is not a cleared site and the user device is not logged in.

According to yet another exemplary embodiment of the invention there isdisclosed a non-transitory computer-readable medium comprising computerexecutable instructions that when executed by one or more computerscause the one or more computers to perform the above method of the nameserver.

According to yet another exemplary embodiment of the invention there isdisclosed a name server in a captive portal system. The name serverincludes means for receiving a DNS request from a user device to resolvea target domain name; means for receiving a DNS request from a userdevice to resolve a target domain name; means for querying the logindatabase to determine whether the user device is logged in according toa source address of the user device and responding to the DNS requestwith a correct IP address of the target domain name when the user deviceis logged in; means for checking whether the target domain name is acleared site and responding to the DNS request with the correct IPaddress of the target domain name when the target domain name is acleared site; and means for responding to the DNS request with the IPaddress of a web server accessible to non-logged in user devices fromwithin the captive portal as a resolved IP address of the target domainname when the target domain name is not a cleared site and the userdevice is not logged in.

According to yet another exemplary embodiment of the invention there isdisclosed a server in a captive portal system. The server including afirst network interface coupled to a local computer network, a secondnetwork interface coupled to an external computer network, a memorydevice storing a plurality of software instructions, and one or moreprocessors coupled to the memory device, the first network interface,and the second network interface. By the one or more processorsexecuting the software instructions loaded from the memory device, theone or more processors are configured to accept a connection requestedfrom a user device on the local computer network to an IP address of theserver. The connection to the IP address of the server occurs as aresult of a name server previously determining the user device to not belogged in to the captive portal system and providing the user device theIP address of the server as a resolved IP address of a target domainname. The user device thereafter caches the IP address of the serverprovided by the name server as the resolved IP address of the targetdomain name. The one or more processors are further configured todetermine whether the user device is logged according to a sourceaddress of the user device and act as a transparent proxy between theuser device and a remote destination on the external computer network tothereby allow the user device to receive content from the remotedestination via the connection in response to determining that the userdevice is logged in. The one or more processors are further configuredto send alternate content different than that provided by the remotedestination to the user device via the connection when the user deviceis not logged in.

According to yet another exemplary embodiment of the invention there isdisclosed a method of controlling access from user devices to anexternal network. The method includes accepting a connection requestedfrom a user device on a local computer network to an IP address of aserver. The connection to the IP address of the server occurs as aresult of a name server previously determining the user device to not belogged in to a captive portal system and providing the user device theIP address of the server as a resolved IP address of a target domainname. The user device thereafter caching the IP address of the serverprovided by the name server as the resolved IP address of the targetdomain name. The method further includes determining whether the userdevice is logged in according to a source address of the user device andacting as a transparent proxy between the user device and a remotedestination on the external network to thereby allow the user device toreceive content from the remote destination via the connection inresponse to determining that the user device is logged in. The methodfurther includes sending alternate content different than that providedby the remote destination to the user device via the connection when theuser device is not logged in.

According to yet another exemplary embodiment of the invention there isdisclosed a non-transitory computer-readable medium comprising computerexecutable instructions that when executed by one or more computerscause the one or more computers to perform steps of accepting aconnection requested from a user device on a local computer network toan IP address of a server. The connection to the IP address of theserver occurs as a result of a name server previously determining theuser device to not be logged in to a captive portal system and providingthe user device the IP address of the server as a resolved IP address ofa target domain name. The user device thereafter caches the IP addressof the server provided by the name server as the resolved IP address ofthe target domain name. The steps further include determining whetherthe user device is logged in according to a source address of the userdevice and acting as a transparent proxy between the user device and aremote destination on an external network to thereby allow the userdevice to receive content from the remote destination via the connectionin response to determining that the user device is logged in. The stepsfurther include sending alternate content different than that providedby the remote destination to the user device via the connection when theuser device is not logged in.

In an advantageous embodiment of the invention, a name server of aDNS-based captive portal provides the correct IP address of a requesteddomain name when either 1) the user device making the request is loggedin, or 2) the requested domain name is on a list of cleared web sites;otherwise, the name server provides the IP address of an administratorspecified web server. In an advantageous embodiment of the invention, alogin web server of a DNS-based captive portal also acts as atransparent proxy for logged in user devices so that the logged in userdevices can still access target URL(s) via HTTP and HTTPS even when theyhave cached the login server's IP address for the host domain of thetarget URL(s). These and other advantages of the present invention willno doubt become apparent to those of ordinary skill in the art afterreading the following detailed description of the preferred embodimentthat is illustrated in the various figures and drawings.

BRIEF DESCRIPTION OF THE DRAWINGS

The invention will be described in greater detail with reference to theaccompanying drawings which represent preferred embodiments thereof.

FIG. 1 shows a block diagram of a captive portal system according to anexemplary embodiment of the invention.

FIG. 2 shows a flowchart of operations performed by the domain namesystem (DNS) server of FIG. 1 according to an exemplary embodiment ofthe invention.

FIG. 3 shows a flowchart of operations performed by the login server andintegrated transparent proxy of FIG. 1 according to an exemplaryembodiment of the invention.

FIG. 4 shows a flowchart of operations performed by the domain namesystem (DNS) server of FIG. 1 in order to allow free web sites accordingto an exemplary embodiment of the invention.

FIG. 5 shows a flowchart of operations performed by the login web serverof FIG. 1 in order to allow free websites according to an exemplaryembodiment of the invention.

FIG. 6 shows operations of the login server of FIG. 1 in order to log ina user device, set up various rules in the firewall/gateway, and add thedevice identifier to the login database according to an exemplaryembodiment of the invention.

FIG. 7 shows exemplary rules utilized to configure the firewall/gatewayof FIG. 1 according to an exemplary embodiment of the invention.

DETAILED DESCRIPTION

FIG. 1 shows a block diagram of a captive portal system 100 according toan exemplary embodiment of the invention. In this embodiment, thecaptive portal system 100 controls access to the Internet 104 for userdevices 116, 117 operated by guests of a hospitality establishment suchas a hotel.

The captive portal system 100 includes captive portal server 102 coupledbetween an external network such as the Internet 104 and a hotel localarea network (LAN) 112. One or more cleared websites 106 and non-clearedwebsites 108 are coupled to the Internet 104. In this example, thecleared web sites 106 include an external login portal 110 and a hotelchain website 111. One or more logged in user devices 116 and one ormore non-logged in user devices 117 are coupled to the hotel LAN 112.The captive portal server 102 in this embodiment is a computer havingone or more processors 120, which execute a computer program loaded froma non-transitory storage medium 122 such as a hard disk. The processors120 are configured via the computer program to perform the functions ofa gateway/firewall 118, a domain name system (DNS) server 134 includinga first DNS 136 for logged in devices 116 and a second DNS 138 fornon-logged in devices 117. The processors 120 are also configured viathe computer program to perform the functions of a DHCP server 131,login web server 128, a transparent proxy 126, and an encryption module124. The storage medium 122 or another storage device such a randomaccess memory (RAM) also stores a cleared sites list 139 and a logindatabase 130. In the following description, the plural form of the word“processors” is utilized as it is common for a central processing unit(CPU) of a computer server to have multiple processors (sometimes alsoreferred to as cores); however, it is to be understood that a singleprocessor may also be configured to perform the below-describedfunctionality in other implementations.

Upon initial connection to the hotel LAN 112, a typical user device 116,117 will utilize the dynamic host configuration protocol (DHCP) toautomatically configure itself for the hotel LAN 104. DHCP is well-knownin the art and involves the client device 138 sending various DHCPmessages such as a “discover” and “request” in order to be assignednetwork settings for use on the hotel LAN 104. In response to theserequests, the captive portal server 102 acts as a DHCP server 131 todynamically assign the user device 116, 117 an IP address to use on thehotel LAN 102, to provide the user device 116, 117 with the IP addressof the appropriate DNS server 134 to allow the user device to resolvedomain names, and to provide the client device 138 with the IP addressof the captive portal server 102 as the default gateway 118. Forexample, this step may be performed by the one or more processors 120executing a DHCP server 131 module from the module storage media 122.Alternatively, another DHCP server on the hotel LAN 112 may performthese functions. Because the captive portal server 102 is set as theclient device's default gateway 118, the client device 138 will sendfuture IP packets having destinations off the hotel LAN 104 to thegateway 118 running on the captive portal server 104. In the followingdescription, gateway and firewall functionality are both performed bythe module 118 shown in FIG. 1 as the “gateway/firewall” 118; however,it is to be understood that the functionality of the gateway andfirewall do not necessarily need to be performed by a single module andmay be separated in other embodiments.

In a preferred embodiment, the DHCP server 131 (either implemented bythe captive portal server 102 or another DHCP server on hotel LAN 112)provides all user devices, both logged in 116 and non-logged in 117, thesame IP address of the captive portal's DNS server 134 for performingDNS lookups. As will be explained below with reference to the firewallrules in FIG. 6, logged in users devices 116 will have their DNSrequests automatically forwarded by the firewall 118 to the first nameserver 136, and non-logged in user devices 117 will have their DNSrequests automatically forwarded by the firewall 118 to the second nameserver 138. In an alternate embodiment, the DHCP server 131 may querythe login database 130 to see if the requesting user device 116, 117 isalready logged in according to the source address of the requesting userdevice. The DHCP server 131 then provides logged in user devices 116with the IP address of the first name server 136 for DNS queries, andwill provide non-logged in user devices 117 with the IP address of thesecond name server 138 for DNS queries.

As shown in FIG. 1, the captive portal server 102 includes a DNS server134 comprised of two name servers 136, 138. One function of the DNSserver 134 is to resolve all DNS requests by non-logged in user devices117 for non-cleared external domain names (corresponding to non-clearedwebsites 108) to the IP address of the login web server 128. Thenon-logged in user device 117 will then establish a connection to thelogin server 128's IP address directly, and the login server 128 acceptsthe incoming connection and receives a normal HTTP request from thenon-logged in user device 117 over the connection. In response to theHTTP request, the login web server 128 provides alternate content to theuser device 117 such as a button for the user to click in order toproceed to the login portal start page. The start page may be accessedvia HTTPS to protect the confidentiality of user information.

Once a non-logged in user device 117 is logged in and becomes a loggedin user device 116, all DNS requests from the logged in user device 116are handled by the DNS server 134 in the manner of a typical DNS serverso that the user device 116 receives the actual (i.e., correct) IPaddress for all target domain names including those for the non-clearedwebsites 108.

Because a logged in user device 116 or applications running thereon maystill cache the IP address of the login web server 128 for a target(non-cleared) URL, the login web server 128 is further configured to actas a transparent proxy 126 for both HTTP and HTTPS requests fromlogged-in user devices 116. In this way, even though a logged in userdevice 116 may improperly cache the login server 128's IP address (i.e.,an incorrect IP address) for a particular domain name, the user device116 can still access web content at that particular domain name aftersuccessfully logging in.

FIG. 2 shows a flowchart of operations performed by the domain namesystem (DNS) server 134 of FIG. 1 according to an exemplary embodimentof the invention. With reference to FIG. 1, the steps of FIG. 2 areperformed by the processors 120 of the captive portal server 102, or, inanother embodiment, the steps may be performed by one or more processorsof a standalone DNS server 134. The steps of the flowchart are notrestricted to the exact order shown, and, in other configurations, shownsteps may be omitted or other intermediate steps added. In thisembodiment, the name server 134 performs the following steps:

At step 200, the DNS server 134 on the hotel LAN 112 receives a DNSquery from a user device 116, 117 at the hotel.

At step 202, the DNS server 134 queries the login database 130 todetermine whether the source user device 116, 117 from which the requestwas received at step 200 is logged in or not. The Ethernet frames and IPpackets carrying the DNS request received at step 200 will specify thesource MAC/IP addresses of the user device 116, 117 that made therequest. Using this information, the DNS server 134 can query the logindatabase 130 to determine whether there is a currently logged in userdevice 116 that has a matching source address. Either the MAC or IPaddress of the user device 116 could be used as the source address indifferent embodiments.

At step 204, control proceeds to step 210 when the source user device116 is already logged in; alternatively, control proceeds to step 206when the source user device 117 is not logged in.

At step 206, because the source user device 117 is not yet logged in,the DNS server 134 replies to the DNS request with the IP address of thelogin web server 128 as the resolved IP address. To reduce the need forthe login server 128 to act as the transparent proxy 126 for logged inuser devices 116, the second name server 138 should set a shorttime-to-live when resolving a URL to the IP address of the login server128 for non-logged in user devices 117. For example, the TTL of the IPaddress of the login web server 128 provided in the DNS response by thesecond name server 138 at step 206 can be set to zero seconds.

At step 210, because the source user device 116 is already logged in,the DNS server 134 replies to the DNS request with the correct IPaddress of the target domain name using the standard, well-known DNStechniques.

The DNS server 134 on hotel LAN 112 is customized to resolve all domainnames to the IP address of the login server 128 for requests fromnon-logged in user devices 117, and to resolve domain names to theircorrect IP addresses for requests from logged in user devices 116.

In this embodiment, the DNS server 134 is actually composed of two nameservers: a first name server 136 for logged in user devices 116 (step210); and a second name server 138 for non-logged in devices 117 (step206). Separating the DNS server 134 into two different name servers 136,138 is beneficial because a standard, off-the-shelf DNS server can beutilized for the first name server 136 handling the logged in userdevices 116. The bulk of DNS requests received at step 200 will behandled by the first name server 136 and will be handled veryefficiently because the first name sever 136 is simply a standard DNSserver. In this embodiment, the second name server 138 for handling DNSrequests received from non-logged in devices 117 (step 206) is similarto a DNS black hole that will resolve all (or most) target domains tothe IP address of the login server 128. Forwarding of DNS requests fromlogged in user devices 116 and non-logged in user devices 117 to theappropriate one of the two name servers 136, 138 can be performed by thefirewall 117. In another embodiment, the two DNS servers 136, 138 can beimplemented as a single DNS 134 having different actions depending onthe logged in status of the source user device 116.

FIG. 3 shows a flowchart of operations performed by the login server 128and integrated transparent proxy 126 of FIG. 1 according to an exemplaryembodiment of the invention. With reference to FIG. 1, the steps of FIG.3 are performed by the processors 120 of the captive portal server 102,or, in another embodiment, the steps may be performed by one or moreprocessors of a standalone web server 128, transparent proxy 126, and/orencryption module 124. The steps of the flowchart are not restricted tothe exact order shown, and, in other configurations, shown steps may beomitted or other intermediate steps added. In this embodiment, the loginweb server 128 performs the following steps:

At step 300, the web server 128 receives and accepts a TCP connectionrequest from a user device 116, 117. The connection request received atthis step has a destination IP address matching that assigned to the webserver 128 and a source IP address matching that assigned to the userdevice 116, 117 making the request (e.g., preassigned via a DHCP processupon its first connection to hotel LAN 112). In another embodiment, thesource MAC address of the user device 116, 117 making the request couldbe utilized as a device identifier.

At step 302, control proceeds to step 304 if encryption is required suchas in an HTTP Secure (HTTPS) session. Alternatively, if no encryption isrequired, control proceeds to step 306. Typically the web server 128will receive regular HTTP requests over a TCP connection established onport 80 and encrypted HTTPS requests over a secure connectionestablished on port 443.

At step 304, the web server establishes the secure connection using theSSL/TLS protocol as is well-known in the art; further description ofthis step is omitted for brevity.

At step 306, the web server 128 receives an HTTP request from the userdevice 116, 117 over the established TCP connection (e.g., either securevia port 443 or unsecured over port 80).

At step 308, the web server 128 examines the destination “host” field inthe HTTP request header to determine whether the HTTP request isdirected at the login web server 128 itself. The “host” header field ismandatory since HTTP/1.1 and specifies the domain name of the server andoptionally the TCP port number on which the destination server islistening. When the value of the “host” field in the HTTP requestmatches the assigned domain name of the login web server 128 itself, thetarget host is deemed to be the local host and control proceeds to step308 to return the specified web content. Alternatively, when the valueof the “host” field in the incoming HTTP request does not match theassigned domain name of the login web server 128, this means that thelogin web server 128 has received the HTTP request even though the loginweb server 128 does not provide the requested content. In this situationcontrol proceeds to step 312.

At step 310, the web server 128 replies to the HTTP request with therequested local page content as specified in the HTTP request (e.g., thedesired content link will be specified in HTTP requests using the GETmethod.) This step constitutes the typical action of a web server and iswell known in the art.

Examples of local content that may be returned at this step includepages of the login portal provided by the login web server. Credit cardor other payment details may also be accepted using local pages on theweb server 128 and the user may have to agree to terms and conditions asdisplayed to the user on various local web pages sent to the user atthis step 308. Since several HTTP requests may be received over the sameTCP connection, in a preferred embodiment the web server 128 does notclose the connection with the user device after replying with therequested local page content at this step. Control proceeds back to step306 to receive another HTTP request over the connection with the userdevice 116, 117. In another embodiment, the server 128 simply closes theconnection after step 310 instead of proceeding back to step 306.

At step 312, the web server 128 queries the login database 130 in orderto determine whether the source user device 116, 117 from which the HTTPrequest was received at step 306 is logged in or not. Similar to aspreviously described for step 202 of FIG. 2, the Ethernet frames and IPpackets carrying the HTTP request received at step 306 will specify thesource MAC/IP addresses of the user device 116, 117 that made therequest. Using this information, the web server 128 can query the logindatabase 130 to determine whether there is a currently logged in userdevice 116 that has a matching source address. Either the MAC or IPaddress of the user device 116 could be used as the source address indifferent embodiments.

At step 314, control proceeds to step 318 when the source user device116 is already logged in. This situation occurs when a logged in userdevice 116 mistakenly caches the IP address of the login web server 128(i.e., an incorrect IP address) for another host's domain name.Alternatively, if the source user device 117 is not logged in, controlproceeds to step 316. This situation occurs as a result of the domainnames for all non-cleared web sites being resolved by DNS server 134 tothe IP address of the login web server 128.

At step 316, the web server replies to the non-logged in user device 117with alternate page content even though the user device 117 isrequesting content on another web host. The purpose of the alternatecontent is to cause the non-logged in user device 117 to display captiveportal screens rather than the requested content on the target host asspecified in the HTTP request. Examples of alternative content thatcould be generated and/or sent to the user device 117 by the web server128 at this step include: a browser redirection message causing a webbrowser running on the non-logged in user device 117 to automaticallyredirect to a first page of the login portal on either the internallogin web server 128 or the external login portal 110; web page HTMLcontent cause the web browser running on the non-logged in user device117 to display a first screen of either login portal 128, 110; and/or asplash page with a button or link visible for the user to click in orderto manually cause their web browser to proceed to the first screen ofthe login portal 128, 110.

Because the alternate content served by the web server 128 at step 316is not the real content that will become available to the user device117 at the desired external web server host after successful login, theweb server 128 adds various headers to prevent the user device 117 fromcaching the alternate content. To prevent the user device 117 fromincorrectly caching the alternate content sent as that of the requestedweb page, the web server 128 includes a cache-control header in the HTTPresponse having one or more directives set to prevent caching. Becausenot all browsers recognize or respond correctly to all cache-controldirectives, the HTTP response header may be set to include multiplecache control directives such as: “Cache-Control: no-cache, no-store,max-age=0, must-revalidate”. Other combinations of one or morecache-control directives may also be used to prevent the browser runningon the client device 138 from caching the modified HTML content sent atthis step.

In another example, rather than (or in addition to) the cache-controlHTTP header added to the HTTP response at step 316, the web server 128may also modify the alternate HTTP content sent at this step to furtherinclude an HTML no-cache meta tag. Similar to the HTTP header, thepurpose of the no-cache meta tag is to instruct the browser running onthe non-logged in user device 117 not to cache the alternate contentsent at this step as the content of the user-requested web page.

Any alternate page content could be generated and sent to the non-loggedin user device 117 at step 316. The alternate content will generally bedifferent than what the user would have received from the target URL hadthe user been logged in. Further examples of alternate content include:

-   -   a splash screen with a button or link for the user to click to        proceed to the first page of the login process on the login        server 128    -   the first page of the login process on the login server 128    -   the first page of any desired website (e.g., login page or        cleared website 106)    -   a browser redirection message to any desired website (e.g.,        login page or cleared website 106)

Concerning the alternate content generated and provided by the webserver 128 at step 316, the alternate content could also be generatedsimilar to how the first screen of content is generated by the captiveportal server described by co-inventor David Ong in U.S. Pat. No.8,650,495 issued Feb. 11, 2014 and U.S. Patent Publication No.20140090030 published Mar. 27, 214 (both entitled, “CAPTIVE PORTAL THATMODIFIES CONTENT RETRIEVED FROM DESIGNATED WEB PAGE TO SPECIFY BASEDOMAIN FOR RELATIVE LINK AND SENDS TO CLIENT IN RESPONSE TO REQUEST FROMCLIENT FOR UNAUTHORIZED WEB PAGE”), which are both incorporated hereinby reference. Briefly described, relative links in the content of aparticular web page can be converted by the login web server 128 intoabsolute links to reduce load on the login server 128 acting as atransparent proxy for future requests. See the above-identified captiveportal server patent and publication by David Ong for more information.

At step 318, because the user device 116 that made the HTTP request isalready logged in, the web server 128 acts as a transparent proxybetween the user device 116 and the target host specified in the HTTPrequest. The purpose of the this step is to ensure that a logged in userdevice 116 that has cached the IP address of the login server 128 forthe domain name of the host will still be able to access content on thathost.

At step 320, substantially immediately after sending either thealternate content at step 316 or acting as a transparent proxy for asingle HTTP-request-response transaction at step 318, the web server 128closes the connection with the user device 116, 117. To increasesubsequent page load speeds from a web server, typical web browsers willhold the connection to the web server in an open state using variouskeep-alive techniques. The goal of holding the connection open is thatfuture HTTP requests to the same server will not need to first open aTCP connection, thereby saving the time related to the connection setup.For example, a typical user device 116, 117 will try to request all theimages, scripts, CSS files, and other content required to display thedesignated web page over the same connection. In order to force the userdevice 116, 117 to open a new connection for subsequent HTTP requests togather these content elements, after either sending the alternatecontent at step 316 or acting as the transparent proxy for a singlerequest-response transaction at step 318, the captive portal server 102deliberately closes the TCP connection with the client device 138.

When reaching step 320 from step 318, closing the connection for thelogged-in user device 116 may allow the browser running the logged inuser device 116 to clear its cached IP address (either internal timer onbrowser cache runs out or the act of the connection closing possibilitytriggers the cache to clear). If the browser clears the cached IPaddress of the login server, then a next HTTP request for the targethost will trigger a new DNS request and, as a result of the user devicenow being logged in, the DNS server 134 will provide the user devicewith the correct IP address of the target host (step 210). In this way,closing the connection by the web server 128 at step 320 before asubsequent HTTP request is received from a logged in user device 116potentially reduces the load on the web server 128 acting as thetransparent proxy 126.

If a non-logged in user device 117 initially tries to visit an HTTPSURL, the user must add a certificate exception in their browser in orderto get to the login screen provided by the login web server 128. Thiscertificate exception requirement also exists when using TCP connectionhandshake IP spoofing techniques by an intermediate gateway in otherprior art captive portal configurations so this is not a new problemunique to DNS-based captive portals. However, the DNS-based captiveportal of this embodiment of the present invention uses the certificateexception to its advantage while acting as the transparent proxy at step318. In the situation where the user's logged in computer 116 has cachedthe IP address of the login server 128 for an HTTPS URL, the certificateof the login server 128 has already been accepted by the user and thelogin server 128 is therefore able to establish a secure connection,receive an HTTP request over that secure connection, and see thedestination “host” and other headers of the HTTP request even though itis being transmitted in using HTTPS.

To act as a transparent proxy 124 for HTTPS, the web server 128 usesman-in-the-middle techniques to decrypt and re-encrypt HTTPS sessions onboth sides of the transaction. This works on the user side without anywarnings to the user because the user already added a certificateexception to their browser when they initially went to login server 128before their user device 117 was logged in. Therefore, even though thenow logged in user device 116 is making a request to a destination URLencrypted in an HTTPS request, the user's browser will accept andestablish an encrypted session with the login web server 128 because thebrowser has already added a certificate exception. The web server 128can thereby read the HTTP request headers and find out the target URL inorder to perform transparent proxying 126. Similarly, the transparentproxy 126 can establish an HTTPS connection with the desired host (e.g.,a non-cleared website 108) on behalf of the user device and simply passrequests and responses back and forth between the encrypted sessionswith both these devices (e.g., user device 116 and non-cleared host108).

Often within a captive portal environment there will be some clearedwebsites 106 on the Internet 104 that are to be made freely accessiblefrom within the walled garden even for non-logged in user devices 117.In FIG. 1, the cleared websites 106 are listed on the cleared sites list139, which is stored in a storage device such as a hard drive or otherstorage medium 122.

FIG. 4 shows a flowchart of operations performed by the domain namesystem (DNS) server 134 of FIG. 1 in order to allow free websitesaccording to an exemplary embodiment of the invention. In order tosupport free websites 106, the operation of the DNS name server 134 ismodified to include new steps 400 and 402 as follows.

When the DNS request is determined to have been received from anon-logged in user device 117 at step 204, control proceeds to new step400 to query the cleared sites list 139. The purpose of this query is tocheck whether the target domain name in the DNS request matches one ofthe cleared websites 106 specified on the cleared sites list 139. Whenyes, control proceeds from new step 402 to step 210 to reply with thecorrect IP address of the destination. Alternatively, when no, controlproceeds from new step 402 to step 206 to reply with the IP address ofthe login web server 128 as the resolved IP address. In this way, evennon-logged in user devices 117 will be able to properly resolve the IPaddresses of cleared web sites 106 listed on the cleared sites list 139.

In some applications, cleared/free websites on the cleared sites list139 need to be cleared at the DNS server so that regardless of whetherthe user's computer is logged in or not they will always get the true(i.e., correct) IP address of a cleared website. The DNS server 134modification of FIG. 4 may be suitable for such applications.

FIG. 5 shows a flowchart of operations performed by the login web server128 of FIG. 1 in order to allow free websites according to an exemplaryembodiment of the invention. In order to support free websites 106, theoperation of the web server 128 is modified to include a new steps 500and 502 as follows:

When the HTTP request is determined to have been received from anon-logged in user device 117 at step 314, control proceeds to new step500 to query the cleared sites list 139. The purpose of this query is tocheck whether the target host field in the HTTP request header matchesone of the cleared websites 106 specified on the cleared sites list 139.When yes, control proceeds from new step 502 to step 318 to act as atransparent proxy between the non-logged in user device 117 and thecleared website 108. Alternatively, when no, control proceeds from newstep 502 to step 316 to reply with alternate page content such as thefirst page of the login portal. In this way, non-logged in user devices117 will be able to browse cleared web sites 106 listed on the clearedsites list 139 even if the user device 117 mistakenly sends its HTTPrequest to the IP address of the login web server 128.

To support cleared websites, either the DNS server 134 or the login webserver 128 may have its operation modified in different embodiments inthe manner shown in FIGS. 4 and 5, respectively. Alternatively, thefunctionality of both the DNS server 134 and the login web server 128may be modified in a single embodiment in the manner shown FIGS. 4 and5, respectively.

The above embodiment of the firewall/gateway rules 700, the second nameserver 138 operation for the cleared sites list 139, and the login webserver 128 is also compatible with the smart walled garden byco-inventor David Ong described in U.S. Pat. No. 8,448,231 issued May21, 2013 (entitled, “WALLED GARDEN SYSTEM FOR PROVIDING ACCESS TO ONE ORMORE WEBSITES THAT INCORPORATE CONTENT FROM OTHER WEBSITES AND METHODTHEREOF”) and U.S. Patent Publication No. 20130239199 published Sep. 12,2013 (entitled, “WALLED GARDEN PROVIDING ACCESS TO ONE OR MORE WEBSITESTHAT INCORPORATE CONTENT FROM OTHER WEBSITES”), which are bothincorporated herein by reference. The teachings of these applicationscan be utilized herein to handle the cleared sites list 139, addcorresponding website-specific Internet access rules 722, and ensurethat these cleared websites 106 also work when incorporating materialfrom other non-cleared websites 108 via the operation of transparentproxy 126. Briefly described, the login portal 138 will also act as atransparent proxy 126 for a non-logged in user device 117 when thereferrer header of the incoming HTTP request indicates one of thewebsites on the cleared sites list 139. See the above-identified smartwalled garden patent and publication by David Ong for more information.

FIG. 6 shows operations of the login web server 128 of FIG. 1 in orderto log in a user device 117, setup various rules in the firewall/gateway118, and add the device identifier to the login database 130 accordingto an exemplary embodiment of the invention. With reference to FIG. 1,the steps of FIG. 6 are performed by the processors 120 of the captiveportal server 102, or, in another embodiment, the steps may be performedby one or more processors of a standalone web server 128. The steps ofthe flowchart are not restricted to the exact order shown, and, in otherconfigurations, shown steps may be omitted or other intermediate stepsadded. In this embodiment, the web server 128 performs the followingsteps:

At step 600, a non-logged in user device 117 successfully logs in andthereby becomes a logged in user device 116. In some embodiments the actof logging in may simply consist of the user accepting terms andconditions in order to access the Internet 104 through the captiveportal server 102. In other embodiments, the act of logging in mayrequire payment information or username/password authentication. Thesteps required to successfully log in a user device 117 depend on theapplication-specific requirements and are known in the art; furtherdescription is therefore omitted herein for brevity.

At step 602, the web server 128 adds a device identifier of the nowlogged in user device 116 to the login database 130. For example, thedevice identifier may correspond to the MAC and/or IP address of theuser device 116 as determined by the login web server 128 inspectingEthernet frames and/or TCP/IP packets received from the user device 116.

At step 604, the web server 128 adds two sets of firewall rules: a firstto forward all DNS traffic from the now logged in user device 116 to thefirst name server 136, and a second to clear network traffic from thenow logged in user device 116 for transmission to the Internet 104.

FIG. 7 shows exemplary DNS rules 702 and Internet access rules 704utilized to configure the firewall/gateway 118 of FIG. 1 according to anexemplary embodiment of the invention.

As shown in FIG. 7, the DNS rules 702 include a number ofdevice-specific DNS rules 710. Each of the device-specific DNS rules 710forwards DNS requests (to destination port 63) from a specific logged inuser device 116 to the first name server 136. In this way, as a resultof step 210 in FIG. 2 (and/or FIG. 4), each of the logged in userdevices 116 will be able to resolve the correct IP addresses websites onthe Internet 104 such as the non-cleared websites 108. The DNS rules 702also include a default DNS rule 712, which forwards all DNS requestsfrom all other (i.e., non-logged in) user devices 117 to the second nameserver 138. In this way, as a result of step 206 in FIG. 2 (and/or FIG.4), each of the non-logged in user devices 117 will have all DNSrequests resolved to the IP address of the login web server 128. Aspreviously explained, the DNS server 134 may actually resolve thecorrect IP addresses for the IP address of a domain corresponding to acleared web site 108 even for non-logged in user devices 117, forexample, see steps 400 and 402 in FIG. 4.

According to the DNS rules 702, logged in user devices 116 have theirDNS traffic redirected to the first name server 136, whereas DNS trafficfrom non-logged in user devices 117 is sent to the second name server138. In this embodiment, the first name server 136 is a regular DNSserver that provides correct global IP addresses for target domainnames, and the second name server 138 is a special DNS server that onlyprovides correct global IP addresses for target domain names that matchthose on the cleared sites list 139. For all non-cleared websites 108(i.e., all websites not specifically listed on the cleared sites list139), the second name server 138 provides the IP address of the loginweb server 128 regardless of the target domain name specified in the DNSrequest.

The Internet access rules 704 include a number of device-specificInternet access rules 720. Each of the device-specific Internet accessrules 720 allows a particular logged in user device 116 to access anynon-local IP address such as all websites on the Internet 104. TheInternet access rules 704 also include a number of website-specificInternet access rules 722. Each of the website-specific Internet accessrules 722 allows all logged in and non-logged in user devices 116, 117to access the particular IP address of the website. Website-specificInternet access rules 722 are utilized in conjunction with the clearedsites list 139 so that non-logged in user devices 117 are enabled toaccess the IP addresses of the cleared websites 108. There is onewebsite-specific Internet access rule 722 for the IP address of eachspecific website on the cleared sites list 139. The Internet accessrules 704 further include a default Internet access rule 724, whichblocks all outgoing Internet traffic if one of the proceeding rules doesnot apply. In this way, all non-logged in user devices 117 are blockedfrom accessing websites on the Internet 108 unless the destination IPaddress corresponds to a cleared website 108 specified on the clearedsites list 139.

Returning again to the description of FIG. 6, at step 606 the login webserver 128 checks to see whether the logged in user device 116 has beenlogged out by the user; if yes, control proceeds to step 610; otherwise,control proceeds to step 608.

At step 608, the login web server 128 checks to see whether an allocatedtime duration has expired for the logged in user device 116. In someembodiments, a user device may be logged in for a predetermined timeduration such as one hour or one day. After the time duration hasexpired, the logged in user device 116 is automatically logged out andbecomes a logged out user device 117. The time duration checked at thisstep may be predetermined based upon the payment options selected andmade by the user during the login process at step 600. When the logintime duration has expired, control proceeds from step 608 to step 610;otherwise, control returns to step 606 to check for user logout beforethe time expiry.

At step 610, the login web server 128 removes the variousdevice-specific rules for the now logged out user device 117 from thefirewall/gateway 118. With reference to the exemplary firewall/gatewayrules 702 shown in FIG. 7, the web server 128 removes thedevice-specific DNS rule 710 and the devices-specific Internet accessrule 720 that correspond to the source IP address of the now logged outuser device 117. In this way, the default DNS rule 712 and the defaultInternet access rule 724 apply for the newly logged out user device 117.The newly logged out user device 117 will therefore no longer be able toresolve the IP address of non-cleared websites 108 on the Internet 104and will no longer be able to send traffic to non-cleared websites 108on the Internet 104 (even if the user device 117 already has cached theIP addresses of the non-cleared websites 108).

At step 612, the login web server 128 deletes the record of the newlylogged out user device 117 from the login database 130 to therebycomplete the logout process.

As described in the background section, there are two primary problemswith DNS-based captive portals in use today: 1) they do not work when anon-logged in user accesses an external destination by IP address ratherthan domain name, and 2) an incorrect IP address may be cached on theuser's device as resolving to an external website even after the userhas successfully logged in.

Concerning the first problem, the gateway/firewall 118 of FIG. 1 isconfigured with a default Internet access rule 724 (see FIG. 7) thatprevents all non-logged in user devices 117 from accessing non-clearedwebsites(s) 108 on the Internet 104. In this way, when a non-logged inuser device 117 attempts to access a non-cleared websites 108 using theIP address of the non-cleared website, the connection request or othertraffic from the non-logged in user device 117 is dropped by thegateway/firewall 118 in compliance with the default Internet access rule724. The inventors of the present invention anticipate that most userswill try a popular domain-based URL such as “google.com” in order totest if their computer is connected to the Internet upon failing toaccess an IP-based destination. For this reason, besides configuring thegateway/firewall 118 to prevent non-logged in user devices 117 fromaccessing non-cleared websites 108 on the Internet 104 (see firewall118's default Internet access rule 724 in FIG. 7), no other techniquesare utilized in this embodiment to cause IP-based access requests fromnon-logged in user devices 117 to display the login portal.

Concerning the second problem that the logged in user devices 116 maystill cache an incorrect IP address for the domain name of a(non-cleared 108) website, the captive portal server 102 in theembodiment of FIG. 1 acts a transparent proxy 126 in the event that thelogin web server 128 receives from a logged in user device 117 an HTTPrequest for another host such as a non-cleared website 108 on theInternet 104. In this way, immediately after successful login, users areable to access all non-cleared websites 108 without having to wait fortheir web browser's cached IP addresses to timeout and without having torestart the web browser in order force it to clear its cached IPaddresses. User convenience is thereby increased.

Another benefit of the captive portal server 102 of FIG. 1 is that itprevents non-logged in user devices 117 from escaping the captive portalvia the DNS protocol. In some prior art captive portals that preformbrowser redirection using an intermediate gateway device, it is stillpossible for a non-logged in user device to tunnel out to the Internetusing the domain name system (DNS) protocol. In some prior artimplementations, DNS requests from a non-logged in user device 117 willbe passed out to the Internet and responses will be passed back to thenon-logged in user device. A hacker can therefore disguise their trafficas DNS requests/responses (e.g., by using port 53 for DNS instead ofports 80 and 443 for HTTP and HTTPS, respectively) and thereby escapethe captive portal. In other prior art implementations, DNS requests arehandled locally within the captive portal but will involve the local DNSserver communicating with external DNS servers on the Internet such asto retrieve records and other information for an unknown domain name. Toescape such captive portals, a hacker can setup a rogue DNS server onthe Internet with a specific domain name and tunnel Internet traffic toand from this rogue DNS server via the local DNS server.

The captive portal server 102 of FIG. 1 beneficially overcomes theseproblems of prior art captive portals because non-logged in user devices117 have their DNS traffic routed to a special name server 138specifically designed to resolve all not specifically cleared domainnames to the IP address of the login web server 128. In this way, DNStraffic from a non-logged in user device 117 is not routed to theInternet 104 either directly or indirectly; therefore, it is notpossible for a non-logged in user device 117 to tunnel web trafficto/from the Internet 104 using the DNS protocol in these embodiments ofthe present invention. Furthermore, even if the user's computer is setto use OpenDNS or another external DNS provider, the firewall/gatewayrules 600 will redirect all DNS requests from non-logged in user devices117 to the specified DNS server 134 so the captive portal will stillfunction properly.

Another advantage enabled by certain embodiments of the presentinvention is that a browser 3XX redirection message is not required(although one could still be utilized at step 316 if desired). In atypical approach to captive portals, when a user tries to go to the URLor address of a first web site, an intermediate gateway pretends to bethe desired website by performing a TCP connection handshake with theuser's computer using the IP address of the site to which the user'scomputer is attempting to connect. After establishing the connectionwith the user's computer, the gateway sends a web browser an HTTP 3XXbrowser redirection message to automatically cause the user's webbrowser to redirect to a different URL or IP address than originallyrequested. For example, to redirect to a login webpage. One problem withthis conventional approach is that automatic browser redirection oftenannoys users, and some browsers may be configured to block or ignorebrowser redirect messages so the above-described redirection will fail.Embodiments of the present invention can be utilized to solve thisproblem by not requiring a browser redirection message to be sent atstep 316.

In an exemplary embodiment of the invention, a captive portal systemincludes a login database, a web server, and a name server. The nameserver receives a DNS request from a user device, queries the logindatabase to determine whether the user device is logged in, and respondsto the DNS request with the IP address of the web server as a resolvedIP address of the specified domain name when the user device is notlogged in. The web server accepts a connection request from the userdevice to the IP address of the web server, receives an HTTP requestspecifying a non-local target URL from the user device, queries thelogin database to determine whether the user device is logged inaccording to the source address of the user device, and acts as atransparent proxy between the user device and the non-local target URLwhen the user device is logged in.

Although the invention has been described in connection with preferredembodiments, it should be understood that various modifications,additions and alterations may be made to the invention by one skilled inthe art without departing from the spirit and scope of the invention asdefined in the appended claims. For example, in another configuration ofthe invention, one or more of the gateway/firewall 118, encryptionmodule 124, transparent proxy 126, cleared sites list 139, first nameserver 136, second name server 138, login database 130, and/or login webserver 128 may be implemented as an external device having its ownprocessor(s), network interface(s), storage medium/media, and othernecessary hardware components.

In another example, rather than (or in addition to) closing theconnection with the client device 138 at step 230, the web server 128includes at step 316 a connection header in the HTTP response having oneor more directives set to prevent the browser on the client device 117from holding the connection open after receiving the HTTP response. Forexample, the web server 128 may include an HTTP response header such as:“Connection: close”, which indicates to the client device 117 that theconnection is not a persistent connection and should therefore be closedafter receiving the HTTP response. Either or both of including aconnection header at step 316 and/or closing the connection at step 320may be employed by the web server 128 to cause the connection with theclient device 117 to be closed after replying to the client device withthe HTTP response and before a subsequent HTTP request is received fromthe client device over the same connection.

In the above description, the exemplary user indication of “guest” isutilized to refer to users as it common for customers of a hospitalityestablishment to be referred to as guests. However, it is not arequirement that the guests must be customers of the hospitalityestablishment and the term guest in this description includes otherusers such as current guests in the hotel, people who are attending aconference or meeting in the hotel, staff members at the hotel, or anyother person or user who may need or want to access a network serviceover a computer network at the hospitality establishment. Future gueststhat have reservations, potential future guests that don't yet havereservations, and other users may also be given access to the networkservice on their guest devices. For example, a demonstration of thetechnology may be available in a hotel lobby guest area and all userswould be able to try out the system 100 in order access the Internet104. Additionally, it is not necessary that the users bring their ownuser devices 116, 117. In another configuration, one or more of the userdevices 116, 117 may be provided to the user by the hotel. It shouldalso be noted that although portable devices that are easily carried areanticipated by the inventors as being particularly useful as userdevices 116, 117, it is not a strict requirement that the user devices116, 117 be easily carried. Other devices such as desktop computers thatare of a more permanent nature may also act as user devices 116, 117 inconjunction with the invention.

A problem with convention DNS-based captive portals is that the user'sweb browser caches the login server's IP for external websites and thenthese websites do not work after the user has logged in and should havegained access to the websites. In the above embodiments, the transparentproxy operation 126 of the login server 126 for logged in guest devices116 allows logged in guest devices 116 to access target URLs even when alogged in guest device has cached the wrong IP address for the hostdomain name of the target URL.

Although the invention has been described as being utilized at a hotelfor illustration purposes, the present invention is equally applicableto any hospitality related location or service wishing to cause users todisplay a login portal or other designated web page including but notlimited to hotels, motels, resorts, hospitals, apartment/townhousecomplexes, restaurants, retirement centers, cruise ships, busses,airlines, airports, shopping centers, passenger trains, libraries,coffee shops, hotspots, etc. Additionally, the invention is applicableto situations where a captive portal is required including other typicalhome and corporate usages in addition to the above described hospitalityexamples.

The various separate configurations, elements, features, embodiment, andmodules of the invention described above may be integrated or combined.The modules may be executed by one or more processors 116 operatingpursuant to instructions stored on a tangible, non-transitorycomputer-readable medium 122 to perform the above-described functions ofany or all aspects of the captive portal server 102. Examples of thetangible, non-transitory computer-readable medium include optical media(e.g., CD-ROM, DVD discs), magnetic media (e.g., hard drives,diskettes), and other electronically readable media such as flashstorage devices and memory devices (e.g., RAM, ROM). Thecomputer-readable medium may be local to the computer executing theinstructions, or may be remote to this computer such as when coupled tothe computer via a computer network. The processors 120 may be includedin a general-purpose or specific-purpose computer that becomes thecaptive portal server 102 as a result of executing the instructions. Inanother example, rather than being software modules executed by one ormore processors 120, the various modules such as gateway/firewall 118,encryption module 124, transparent proxy 126, login web server 128, DNSserver 134, etc. may be implemented as hardware modules such asapplication specific integrated circuits (ASICs) or other types ofprogrammable hardware such as gate arrays configured to perform theabove-described functions. Functions of single modules may be separatedinto multiple units, or the functions of multiple modules may becombined into a single unit. Unless otherwise specified, featuresdescribed may be implemented in hardware or software according todifferent design requirements. In addition to a dedicated physicalcomputing device, the word “server” may also mean a service daemon on asingle computer, virtual computer, or shared physical computer orcomputers, for example. Additionally, all suitable combinations andpermutations of the above described features and configurations may beutilized in conjunction with the invention.

What is claimed is:
 1. A server in a captive portal system, the servercomprising: a first network interface coupled to a local computernetwork; a second network interface coupled to an external computernetwork; a memory device storing a plurality of software instructions;and one or more processors coupled to the memory device, the firstnetwork interface, and the second network interface; wherein, by the oneor more processors executing the software instructions loaded from thememory device, the one or more processors are configured to: accept aconnection requested from a user device on the local computer network toan IP address of the server, the connection to the IP address of theserver occurring as a result of a name server previously determining theuser device to not be logged in to the captive portal system andproviding the user device the IP address of the server as a resolved IPaddress of a target domain name, the user device thereafter caching theIP address of the server provided by the name server as the resolved IPaddress of the target domain name; determine whether the user device islogged according to a source address of the user device; act as atransparent proxy between the user device and a remote destination onthe external computer network to thereby allow the user device toreceive content from the remote destination via the connection inresponse to determining that the user device is logged in; and sendalternate content different than that provided by the remote destinationto the user device via the connection when the user device is not loggedin.
 2. The server of claim 1, further comprising: a storage devicestoring a list of cleared sites; wherein the one or more processors arefurther configured to check whether the remote destination is a clearedsite and to further act as the transparent proxy between the user deviceand the remote destination further in response to determining the remotedestination is included on the list of cleared sites.
 3. The server ofclaim 1, wherein the one or more processors are further configured to:retrieve secondary content from a web server; and generate the alternatecontent by modifying the secondary content retrieved from the webserver.
 4. The server of claim 1, wherein the user device specifies theremote destination in an HTTP request sent to the server via theconnection.
 5. The server of claim 1, wherein the user device specifiesthe remote destination in an HTTPS request sent to the server via theconnection.
 6. The server of claim 1, wherein the alternate content is abrowser redirection message causing a web browser running on the userdevice to automatically redirect to a login portal.
 7. The server ofclaim 1, wherein the alternate content is a first page of content from alogin portal.
 8. The server of claim 1, wherein the alternate content isa splash page with a user-clickable link or button to a login portal. 9.The server of claim 1, wherein the memory device further stores a logindatabase, and the one or more processors are further configured to querythe login database to determine whether the user device is currentlylogged in.
 10. The server of claim 1, wherein the one or more processorsare further configured to redirect all DNS queries received from theuser device to the name server.
 11. A method of controlling access fromuser devices to an external network, the method comprising: accepting aconnection requested from a user device on a local computer network toan IP address of a server, the connection to the IP address of theserver occurring as a result of a name server previously determining theuser device to not be logged in to a captive portal system and providingthe user device the IP address of the server as a resolved IP address ofa target domain name, the user device thereafter caching the IP addressof the server provided by the name server as the resolved IP address ofthe target domain name; determining whether the user device is logged inaccording to a source address of the user device; acting as atransparent proxy between the user device and a remote destination onthe external network to thereby allow the user device to receive contentfrom the remote destination via the connection in response todetermining that the user device is logged in; and sending alternatecontent different than that provided by the remote destination to theuser device via the connection when the user device is not logged in.12. The method of claim 11, further comprising: checking whether thetarget domain name is included on a list of cleared sites; and acting asthe transparent proxy between the user device and the remote destinationfurther in response to determining the remote destination is included onthe list of cleared sites.
 13. The method of claim 11, furthercomprising: retrieving secondary content from a web server; andgenerating the alternate content by modifying the secondary contentretrieved from the web server.
 14. The method of claim 11, wherein theuser device specifies the remote destination in an HTTP request sent tothe server via the connection.
 15. The method of claim 11, wherein theuser device specifies the remote destination in an HTTPS request sent tothe server via the connection.
 16. The method of claim 11, wherein thealternate content is a browser redirection message causing a web browserrunning on the user device to automatically redirect to a login portal.17. The method of claim 11, wherein the alternate content is a firstpage of content from a login portal.
 18. The method of claim 11, whereinthe alternate content is a splash page with a user-clickable link orbutton to a login portal.
 19. The method of claim 11, further comprisingredirecting all DNS queries received from the user device to the nameserver.
 20. A non-transitory computer-readable medium comprisingcomputer executable instructions that when executed by one or morecomputers cause the one or more computers to perform steps of: acceptinga connection requested from a user device on a local computer network toan IP address of a server, the connection to the IP address of theserver occurring as a result of a name server previously determining theuser device to not be logged in to a captive portal system and providingthe user device the IP address of the server as a resolved IP address ofa target domain name, the user device thereafter caching the IP addressof the server provided by the name server as the resolved IP address ofthe target domain name; determining whether the user device is logged inaccording to a source address of the user device; acting as atransparent proxy between the user device and a remote destination on anexternal network to thereby allow the user device to receive contentfrom the remote destination via the connection in response todetermining that the user device is logged in; and sending alternatecontent different than that provided by the remote destination to theuser device via the connection when the user device is not logged in.